APT malware NetTraveler learning new tricks

An Advanced Persistent Threat (APT) called NetTraveler has been spotted making mischief again, but it appears to have learned a few new tricks since it was last spotted in June.

The malware is now attacking a known Java vulnerability, CVE-2013-2465, and added water holing to its propagation strategy, according to new research from Kaspersky Lab.

Kaspersky sounded the alarm about NetTraveler, also known as Travnet and Netfile, in June, when it reported the backdoor software was spearheading a cyber espionage campaign that had been running for eight years.

The campaign targeted more than 350 high-profile victims from more than 40 countries, including political activists, research centers, governmental institutions, embassies, military contractors and private companies from various industries.

At that time, NetTraveler was exploiting two vulnerabilities in Microsoft Office, CVE-2012-0158 and CVE-2010-3333, both previously patched by the software maker.

This time, though, NetTraveler's puppetmasters are training their sights on Java. In one flavor of the attack, spear phishing messages containing malicious links are sent to likely targets. The link leads to a poisoned website which will stealthily infect the computer of an unsuspecting visitor with the APT, which is programmed to steal files from its host.

"In addition to the spear phishing e-mails, watering hole attacks have become another popular method to attack unsuspecting victims by the APT operators," Kaspersky researcher Costin Raiu wrote in a blog post.

"There is perhaps no surprise that the NetTraveler attacks are now using this method as well," he said.

All the NetTraveler activity observed by Kaspersky has been aimed at Uyghur activists. They have been agitating for the separation from China of largely muslim East Turkistan, located in the Xinjang, a region in the northwest corner of that country. So it's no surprise that the malware operators chose the Islamic Association of Eastern Turkistan website for its watering hole exploit.

The attackers planted an iframe on the IAET home page that fetches malware from a site they control and clandestinely plants it on the computers of IAET visitors.

"Spear phishing campaigns are still the tip of the spear for attack vectors," said JD Sherry, vice president of Technology and Solutions for Trend Micro.

"However, he continued, "the intelligent hacking crews, the more sophisticated hacking crews, are leveraging these water holing techniques."

Water holing allows attackers to compromise a trusted site and infect the site's loyal followers. "Attackers will inject malicious capabilities into that site through a vulnerability," Sherry told CSOonline.

"Waterholing is a huge attack vector," he said. "We're seeing a seismic shift in water holing capabilities. That's going to continue as some of the sophisticated hacking crews begin to compromise news outlets and financial sites -- places where people go day-to-day with unprotected systems."